External risk intelligence

Crabbox could allow attackers with repository access to steal sensitive credentials.

Crabbox could allow an attacker with access to a compromised repository to steal sensitive secrets, such as API tokens and cloud credentials. This could result in the compromise of critical business systems and services protected by those credentials.

NVD published May 14, 2026 (13 hours ago)

External risk briefCRITICAL

CVE-2026-8634

Halo Surface Signal

1/ 5

The vulnerability is limited to development workflows and local repository configurations where users interact with untrusted repositories. It does not involve a public-facing service or network appliance, making internet exposure via this vector very unlikely.

Exposure facts

CVSS

9.3

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

H – Horizon Alert

A vulnerability exists within Crabbox that allows sensitive information to be unintentionally shared with external environments. Due to a configuration issue, the system may inadvertently forward local secrets—such as API tokens and cloud credentials—when processing commands from untrusted repositories. This exposure could potentially provide unauthorized parties with access to the critical systems or services that those credentials protect.

A – Asset Exposure

This issue impacts development workflows using Crabbox, specifically when relying on local repository configurations. If a repository is compromised or malicious, sensitive internal credentials—including API tokens, cloud credentials, and broker tokens—could be inadvertently exposed to the remote execution environment. This risk is typically limited to the systems and processes interacting with these specific repositories rather than posing a broad threat to public-facing network infrastructure.

L – Live Threat

We are reviewing a security vulnerability in Crabbox that could potentially allow for the unintended exposure of sensitive credentials, such as API tokens, when interacting with compromised repositories. Currently, the available context does not indicate active exploitation or observed malicious targeting related to this finding. The potential risk is limited to scenarios where users interface with untrusted repository environments, which may allow sensitive information to be forwarded to a remote location.

O – Operational Fix

To address this vulnerability, please upgrade your Crabbox software to the latest release provided by the vendor. We recommend that your technical team reviews current repo-local configuration allowlists to ensure that sensitive environment variables are restricted from remote execution environments. Prioritizing this update and validating existing configurations will help maintain the security of your credentials and development operations.